4.57 Cherry-Pick: Strip RSR suffixes prior to handing off OS version …

…from Nudge check to Semver comparison (#22842) Cherry-pick for patch release of #22830, for #22829 Fixes 500s in config endpoint when a machine with an RSR version installed is in a team with enforced macOS updates --------- Co-authored-by: Tim Lee <[email protected]>
fleetdm · Oct 10, 2024 · 2069217 · 2069217
1 parent 284b9dd
commit 2069217
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/changes/22829-nudge-500-fix b/changes/22829-nudge-500-fix
@@ -0,0 +1 @@
+* Fixes Orbit configuration endpoint 500s for Macs running Rapid Security Response macOS releases that are enrolled in OS major version enforcement
diff --git a/server/fleet/operating_systems.go b/server/fleet/operating_systems.go
@@ -2,6 +2,7 @@ package fleet
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 
 	"github.com/Masterminds/semver"
@@ -34,6 +35,7 @@ func (os OperatingSystem) IsWindows() bool {
 }
 
 var macOSNudgeLastVersion = semver.MustParse("14")
+var macOSRapidSecurityResponseVersionSuffix = regexp.MustCompile(` \([a-z]\)`)
 
 // RequiresNudge returns whether the target platform is darwin and
 // below version 14. Starting at macOS 14 nudge is no longer required,
@@ -43,7 +45,8 @@ func (os *OperatingSystem) RequiresNudge() (bool, error) {
 		return false, nil
 	}
 
-	version, err := semver.NewVersion(os.Version)
+	// strip Rapid Security Response suffix (e.g. version 13.3.7 (a)) if any
+	version, err := semver.NewVersion(macOSRapidSecurityResponseVersionSuffix.ReplaceAllString(os.Version, ``))
 	if err != nil {
 		return false, fmt.Errorf("parsing macos version \"%s\": %w", os.Version, err)
 	}

diff --git a/server/fleet/operating_systems_test.go b/server/fleet/operating_systems_test.go
@@ -35,8 +35,12 @@ func TestOperatingSystemRequiresNudge(t *testing.T) {
 		{platform: "darwin", parseError: true},
 		{platform: "darwin", version: "12.0.9", requiresNudge: true},
 		{platform: "darwin", version: "11", requiresNudge: true},
+		{platform: "darwin", version: "13.3.1 (a)", requiresNudge: true},
+		{platform: "darwin", version: "13.4.1 (c)", requiresNudge: true},
 		{platform: "darwin", version: "14.0"},
 		{platform: "darwin", version: "14.3.2"},
+		{platform: "darwin", version: "15.0.1"},
+		{platform: "darwin", version: "15.0.1 (a)"},
 		{platform: "windows"},
 		{platform: "windows", version: "12.2"},
 		{platform: "windows", version: "15.4"},

diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go
@@ -343,7 +343,7 @@ func TestTranslateCPEToCVE(t *testing.T) {
 		},
 		"cpe:2.3:a:python:python:3.9.6:*:*:*:*:windows:*:*": {
 			includedCVEs: []cve{
-				{ID: "CVE-2024-4030", resolvedInVersion: "3.12.4"},
+				{ID: "CVE-2024-4030", resolvedInVersion: "3.9.20"},
 			},
 			continuesToUpdate: true,
 		},
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		* Fixes Orbit configuration endpoint 500s for Macs running Rapid Security Response macOS releases that are enrolled in OS major version enforcement